Suspicious Print Spooler Point and Print DLL
Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/26"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/17"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service.
13Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as
14SYSTEM.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Print Spooler Point and Print DLL"
21references = [
22 "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
23 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
24 "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030",
25]
26risk_score = 73
27rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17"
28severity = "high"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Privilege Escalation",
34 "Data Source: Elastic Endgame",
35 "Use Case: Vulnerability",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38]
39type = "eql"
40
41query = '''
42sequence by host.id with maxspan=30s
43[registry where host.os.type == "windows" and
44 registry.path : (
45 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory",
46 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory"
47 ) and
48 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"]
49[registry where host.os.type == "windows" and
50 registry.path : (
51 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module",
52 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module"
53 ) and
54 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"]
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1068"
62name = "Exploitation for Privilege Escalation"
63reference = "https://attack.mitre.org/techniques/T1068/"
64
65
66[rule.threat.tactic]
67id = "TA0004"
68name = "Privilege Escalation"
69reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Accenture thought leadership offers business and technology insights on key market forces & technologies to set your company on the path to value.
Read More -
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Read More
Related rules
- Persistence via Update Orchestrator Service Hijack
- Suspicious Print Spooler File Deletion
- Potential Escalation via Vulnerable MSI Repair
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service